Datatilsynet (Norway) - 18/04147
Datatilsynet (Norway) - 18/04147 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 6(1) GDPR Article 17(1)(a) GDPR Article 17(1)(d) GDPR Article 25(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 25.02.2020 |
Published: | 02.03.2020 |
Fine: | 4,000,000 NOK |
Parties: | Public Roads Administration (Statens vegvesen) |
National Case Number/Name: | 18/04147 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Norwegian Norwegian |
Original Source: | Datatilsynet (in NO) Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
The Norwegian DPA notified the Public Roads Administration of a NOK 4,000,000 (about €396,000) fine for not deleting toll road crossings logs, thus likely violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).
English Summary
Facts
A data subject lodged a complaint against the Norwegian Public Roads Administration (the controller) for not deleting toll road crossings logs, which included personal data related to the car tag number, location and time of crossing. The data subject demonstrated that the controller still (at the time of the complaint) stored personal data about their place of residence dating back to 2008 and 2010.
The defendant may legally store personal data related to toll road crossings for accounting purposes, but when the purposes have been fulfilled (storage for 5 years as per Norwegian accounting rules), the personal data must be deleted in line with Article 17(1) GDPR. However, the system used for keeping logs of toll road crossings, lacked deletion functionality and the DPA found that the defendant had not assessed, nor implemented, technical and organisational measures as required by the GDPR.
The Norwegian DPA's investigation revealed a complex situation of several involved parties and confusion around roles and responsibilities. The DPA, however, reasoned that the defendant was the Controller for the personal data in focus of the investigation.
Other parties involved were toll operators and a software supplier. The involved parties had argued amongst themselves who were to blame for the GDPR violations, with letters dating back to May 2017. The defendant claimed they could not delete the personal data in question since the software system (where the toll road crossings logs were kept) lacked deletion functionality. As the DPA had reasoned that the defendant was the controller and thus ultimately responsible for the processing of the personal data, the decision was made against them and not the other parties involved.
Holding
The Norwegian DPA instructed the Public Roads Administration to, without undue delay, delete the personal data related to the toll road crossings logs where the purpose for storing has been fulfilled, including for the complainant.
For the violations described above the DPA held that they intend to fine the defendant NOK 4,000,000 (about €396,000) for violating Article 5(1) GDPR, Article 17(1)(a), Article 17(1)(d) and Article 25(1), cf. Article 5(1)(c), Article 5(1)(d), Article 5(1)(e) and Article 5(1)(f).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Notification of infringement fee to the Norwegian Public Roads Administration The Norwegian Data Protection Authority has notified the Norwegian Public Roads Administration of an order and infringement fee of NOK 4 million. The case concerns failure to delete passage information in the toll ring. The Norwegian Public Roads Administration has not deleted passage information such as chip number, location and time of passage in its database. In the original system for storing passes in the toll ring, it was not possible to delete pass information. - The Norwegian Public Roads Administration has processed personal data illegally. The delete function has been missing, and there is an enormous amount of information that has not been necessary to store, says director Bjørn Erik Thon. Unnecessary registrations In the assessment, special emphasis was placed on the fact that the system had not considered built-in privacy, such as automatic deletion. - Then it is serious that the system was not set up according to the privacy regulations. People should be able to travel without unnecessary registrations, says Thon. An infringement fee of NOK 4 million is the highest the Norwegian Data Protection Authority has so far notified in accordance with the new regulations (GDPR). Working on a new database In notification of orders, the Norwegian Data Protection Authority asks the Norwegian Public Roads Administration to delete personal data, such as chip number, location and time of passage, which are stored beyond the time the Norwegian Public Roads Administration can legally store this personal data. The reason is that such personal information is no longer necessary for the purpose for which it was originally collected or processed. The Norwegian Public Roads Administration is currently working to rectify the deficiencies, and will introduce a new database where the functionality to delete data is present. download Notification of decision on order and infringement fee (pdf) Contact person Janne Stang Dahl Janne Stang Dahl communications director Office: Mobile: Email: Published: 02.03.2020 Notification of infringement fee to the Norwegian Public Roads Administration The Norwegian Data Protection Authority has notified the Norwegian Public Roads Administration of an order and infringement fee of NOK 4 million. The case concerns failure to delete passage information in the toll ring. The Norwegian Public Roads Administration has not deleted passage information such as chip number, location and time of passage in its database. In the original system for storing passes in the toll ring, it was not possible to delete pass information. - The Norwegian Public Roads Administration has processed personal data illegally. The delete function has been missing, and there is an enormous amount of information that has not been necessary to store, says director Bjørn Erik Thon. Unnecessary registrations In the assessment, special emphasis was placed on the fact that the system had not considered built-in privacy, such as automatic deletion. - Then it is serious that the system was not set up according to the privacy regulations. People should be able to travel without unnecessary registrations, says Thon. An infringement fee of NOK 4 million is the highest the Norwegian Data Protection Authority has so far notified in accordance with the new regulations (GDPR). Working on a new database In notification of orders, the Norwegian Data Protection Authority asks the Norwegian Public Roads Administration to delete personal data, such as chip number, location and time of passage, which are stored beyond the time the Norwegian Public Roads Administration can legally store this personal data. The reason is that such personal information is no longer necessary for the purpose for which it was originally collected or processed. The Norwegian Public Roads Administration is currently working to rectify the deficiencies, and will introduce a new database where the functionality to delete data is present. download Notification of decision on order and infringement fee (pdf) Contact person Janne Stang Dahl Janne Stang Dahl communications director Office: Mobile: Email: Published: 02.03.2020